Business travel

Internet security

The dangers of sharing your customers' details

AN ARTICLE in this week's Economist reports on the theft of data from Epsilon, a marketing-services company that sends out more than 40 billion e-mails a year on behalf of many of America's biggest companies. It seems an outsider managed to get hold of the e-mail addresses and names of some of the individuals whose details are held on Epsilon's systems.

If a flood of dodgy e-mails does now appear, it will certainly damage the reputations of the firms that gave Epsilon their customers' data. Many of them, including Marriott International, a hotel chain, have been quick to blame the marketing firm for the leak and to alert their customers to the risks. But this may not be enough to spare them from criticism. “Given the size of Marriott, why would you trust a third party to have this [customer] information in the first place?” wrote a disgruntled commenter on the hotelier's website.”

A colleague who is a customer of Marriott forwarded the e-mail that the hotel group sent him. "We take your privacy very seriously," it trumpeted. "Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience."

Now it is possible that Epsilon fell victim to the greatest criminal plot yet unleashed on internet security, led by a Professor Moriarty of Web 2.0. In which case there would be some excuse for the failing. But until the details are known and shared, the seriousness with which it—and by extension its clients (which also include Ritz-Carlton and Hilton)—have been taking their obligation to customers' privacy does come into question.

Readers' comments

When I opened a line with Spain's biggest telecomms company, Telefonica, the operator misspelt my name. So it was very easy to identify who they had been merrily giving my address to as I got a flood of unsolicited junk addressed to a Mr Greabes.

So far, at least, the only unwanted e-mail I have received as a result of the Epsilon theft have been from companies alerting me, sometimes more than once, that they gived my e-mail to Epsilon and someone then stoled it.

It is a fallacy to assume that even big companies can or will handily data more securely that third parties who (should) specialize in doing so. Data security is not a trivial task; it requires expertise in which a hotel company (for example) is unlikely to invest. Outsourcing that aspect of their business to a third party can actually be a *more* secure approach, as long as they choose one that does invest adequately in security. Pending further info on this breach, it appears that Epsilon may not have. One might fault Marriott and the others for choosing Epsilon, but keeping the data in house would probably be worse in the end.

@Craww_ling: Security through obscurity is not security. Even if companies maintained there own email servers, it's likely that they would be choosing from a handful of software platforms to handle the email.

If a hacker figures out how to hack into Email System X for company Y, that hack will likely work on any company using Email System X.

I'm not overly concerned with this breach. Spammers use a variety of sources to create email addresses and email providers such as Google, Yahoo and Microsoft have fairly sophisticated spam filters.

The real question is how many names and emails did the hacker get hold of?

Your headline refers to "The dangers" of giving your email address away. Yet like CJ Lives, I am yet to experience any consequences of the email theft, and to be honest I am not really sure what the dangers might be. A bit more spam? I get huge amounts already. So far I have received fullsome apologies from Marriott and American Express and am yer to get any extra unsolicted mail. There's just this email from this poor unfortunate Mr Frederic Rupert, in Benin.....